Phishing campaign exploits vulnerability in Windows Search

Microsoft has laid out a set of “Open App Store Principles” that will apply to the store it runs for Windows-powered computers and future marketplaces – Copyright AFP/File DENIS CHARLET

A new phishing campaign exploits a vulnerability in the Windows Search protocol. These emails use HTML attachments to download malicious files from remote servers, potentially putting your personal information, files, and even your entire computer at risk.

How worried should users be about this threat and are there any actions that can be taken to help to mitigate the risk? Jason Kent, Hacker in Residence at Cequence explains to Digital Journal the importance of proactive vulnerability management and how to prevent such attacks.

Kent begins by assessing the nature of the cyber-threat: “Just like most of these types of vulnerabilities, discovering a service that can be sent off rogue is difficult to catch until it is way too late.”

Philosophically, Kent muses: “Stopping all services from reaching out to the Internet would break many functions, but understanding which services are reaching out and what resources they require is paramount.”

This leads to the current threat and associated risk: “As this was discovered, it was realized that yet another function can grab information from the Internet but doesn’t have restrictions on what those pieces of information can be used for. In this case, they can trigger executables on the victim machine.”

So how do we prevent this?

According to Kent: “Well, outbound proxy calls that block this sort of thing would be ideal, but as well all know, work-from-home environments and the inability to keep traffic flowing to a centralized proxy makes that difficult.”

Kent continues with the solution: “The suggested remediation is to disable search functionality within each host. This is done by removing the registry keys for two search functionalities.”

This is:

reg delete HKEY_CLASSES_ROOT\search /f

reg delete HKEY_CLASSES_ROOT\search-ms /f

Kent cautions: “Before anyone tries this, they need to make sure it doesn’t break anything important. It’s also going to be a problematic thing to push out to remote employees.”

His final recommendation is: “In my honest opinion, setting your email server to embargo all emails with HTML attached might be bad, but we can see how dangerous it is to utilize HTML in emails. This is why it’s crucial to analyze all email attachments, not just text files.”